I wrote a custom SQL Interface class to allow for dynamically created queries on Ajax applications (PHP). It's excellent for situations such as this, and doesn't rely on SQL Procedures to do the work. I verify data in the current script, then send it to overloaded functions which also (by default at least) clean strings and arrays to prevent nasty SQL injections. I think it provides alot more feature-rich query creation (via method overloading and SQL statement creation) and removes alot of security risks involved with dynamic SQL in SQL Procedures. What do other people think of this?